A bit of warning: Phishing Email

Seems the Second Life Christmas grinch is on the prowl. Today, I received and email in an attempt to steal my password. The message title looked like this:

Second Life: Password Assistance "no-reply@secondlife.com" <no-reply@secondlife.com>

Message body below:

<Resident Name Here...it was one of my alts>

Click the link below to reset your password.
http://secondlife.com/ss/verify.php?r=d31d1223f9a744da835223be8ac9a2f7

If clicking does not work, you can copy and paste the link into your browser's
address window, or retype it there. Once you have returned to secondlife.com,
we will give instructions for resetting your password.

Linden Lab and the Second Life Team
http://secondlife.com


(requesting IP address: 80.44.133.191)

I immediately was suspicious because it's my understanding that Linden Lab doesn't send out emails regarding password changes. I'm thinking that it's a redirect that reads your cookie information should you click on the link above. And no, I wasn't taken in.
Be wary of such things. Even though the email looks authentic, even under full header, don't click on any links.

Thank you, and Merry Christmas.

That looks scarily real. Perhaps someone should check with LL whether the it is real or not?

Looks like someone tried to reset or request a lost password for you rather than a phishing scheme.

I did send in a support ticket, the reply was:

"Hi,
Thank you for contacting linden Lab Support, we do send out these emails to reset a password. It is done by automation so if you did not req a password reset then just delete it.


Regards

Linden Lab Support"

So...like I said, be careful.

That just looks like the email you'd get when someone uses the "Forgot your password?" option (https://secondlife.com/account/request.php). If it wasn't you, you can just safely ignore it (although kind of creepy if someone else did it).

When it comes to communication, LL will send emails from all over the place. When the support portal required a mass change of passwords, LL sent an email from lindenlabs@parature.com (yes, they spell their own name wrong ) without ever posting anything to the blog. Parature is the company that runs the support portal.

Even worse is when they use vresp.com (e-mail will look like [email]Second_Life_Support@mail.vresp.com[/email] but the addie before the @ will differ) which tends to mangle URLs into redirecting through vresp.com.

I'd say.. you'd be better off changing your password now, because if you aren't the one requesting the password, someone is!

Either that or someone with a name similar to yours was trying to change his or her password and misspelled their own name. But to be safe, I'd still change my password.

It looks pretty convincing...
Yet when I have changed my password I just get email saying something in regard that my password has change and it requires no confirmation that I remember.

Here are some things you need to know about gotchas in email:

The From field (sometimes called the Sender field) and the return address are trivial to forge. So they're never proof of authenticity, but neither do they prove fraud by themselves.


This is the tricky one.

Most people read email that's formatted in HTML. In HTML, it's trivial to create a link that looks like one address but actually goes to another. The source for this would be:

<a href="http://thieving.web.site">http://your.expected.real.site</a>

So you also can't trust the text of any link you find in your email. However, if you're comfortable reading HTML and if your mail reader lets you look at the HTML source (not all readers do), then you can determine whether or not the link is going to the right place. But be careful and thorough. Scam mail often has several legitimate links, so the bogus one may not stand out. It's also common to see a link that looks like

http://thieving.web.site?nothing=http;//your.expected.real.site

In other words, the correct URL isn't being used as the URL, it's simply being passed as a parameter to the bogus site. Other social engineering cheats are minor misspellings, e.g. sending you to second1ife.com.

In this particular case, if you had checked the source of the message and saw that it really was sending you to secondlife.com (reading it very carefully), you could have more confidence that the mail was authentic.


I'm not well versed in cross-site scripting attacks, which are the ones I associate with stealing cookies, but I don't think it's possible to steal cookies this way. But even if it did, there isn't much you can do with someone else's cookies on the SL website. Changes to your account require entering your password again, and the password is presumably not encoded in the cookies.

generally if you mouseover the link, you get a status message with the actual address... if they don't match (and they often don't with these scams) then ya don't want to click.

obviously OP knows they didn't send a password reset request... so it can be safely ignored...

assuming it was legitimately from LL:
if it was someone else, obviously they weren't able to get the password since the reset request went to OP's e-mail, so no risk really

it could also be someone with a similar name that didn't catch the misspelling, couldn't get in, so requested a reset... done it a few times myself